Security
Security
OpcSharp implements the full OPC UA security model with 12 security policies, 3 security modes, and 4 user identity types.
Security Policies
RSA Policies
| Policy | Status | Notes |
|---|---|---|
| None | Supported | No signing or encryption |
| Basic128Rsa15 | Supported | Deprecated but available |
| Basic256 | Supported | Deprecated but available |
| Basic256Sha256 | Supported | Recommended minimum |
| Aes128_Sha256_RsaOaep | Supported | |
| Aes256_Sha256_RsaPss | Supported | Strongest RSA policy |
ECC Policies (net8.0+)
| Policy | Status | Notes |
|---|---|---|
| ECC_nistP256 | Supported | NIST curve |
| ECC_nistP384 | Supported | NIST curve |
| ECC_brainpoolP256r1 | Supported | Brainpool curve |
| ECC_brainpoolP384r1 | Supported | Brainpool curve |
| ECC_curve25519 | Supported | ChaCha20-Poly1305 AEAD, X25519/Ed25519 |
| ECC_curve448 | Supported | ChaCha20-Poly1305 AEAD, X448/Ed448 |
Security Modes
- None — no message security
- Sign — messages are signed for integrity
- SignAndEncrypt — messages are signed and encrypted
Configuring Security
Using the overload with explicit policy URI and mode:
var client = new OpcSharpClientBuilder()
.WithEndpoint("opc.tcp://localhost:4840")
.WithSecurity(SecurityPolicyUris.Basic256Sha256, MessageSecurityMode.SignAndEncrypt)
.WithApplicationCertificate("certs/client.pfx", "password")
.Build();Using the Action<SecurityOptions> overload:
var client = new OpcSharpClientBuilder()
.WithEndpoint("opc.tcp://localhost:4840")
.WithSecurity(options =>
{
options.PolicyUri = SecurityPolicyUris.Basic256Sha256;
options.Mode = MessageSecurityMode.SignAndEncrypt;
})
.WithApplicationCertificate("certs/client.pfx", "password")
.Build();Auto-accept untrusted certificates (development only):
var client = new OpcSharpClientBuilder()
.WithEndpoint("opc.tcp://localhost:4840")
.WithSecurity(SecurityPolicyUris.Basic256Sha256, MessageSecurityMode.SignAndEncrypt)
.WithAutoAcceptUntrustedCertificates(true) // WARNING: insecure, use only in development
.Build();User Identity Types
Anonymous
// Default — no credentials required
var client = new OpcSharpClientBuilder()
.WithEndpoint("opc.tcp://localhost:4840")
.Build();UserName/Password
Password is RSA-encrypted with the server’s public key. Padding varies by security policy.
var client = new OpcSharpClientBuilder()
.WithEndpoint("opc.tcp://localhost:4840")
.WithUserIdentity(new UserNameIdentity("user", "password"))
.Build();X.509 Certificate
Signs the activation request with the client certificate’s private key.
var cert = new X509Certificate2("user-cert.pfx", "password");
var client = new OpcSharpClientBuilder()
.WithEndpoint("opc.tcp://localhost:4840")
.WithUserIdentity(new X509Identity(cert))
.Build();Issued Token (SAML/JWT)
RSA-encrypts the token data for transport.
// tokenBytes contains the SAML assertion or JWT token as a byte array
byte[] tokenBytes = GetTokenFromIdentityProvider();
var client = new OpcSharpClientBuilder()
.WithEndpoint("opc.tcp://localhost:4840")
.WithUserIdentity(new IssuedTokenIdentity(tokenBytes))
.Build();Certificate Management
| Feature | Status |
|---|---|
| Self-signed certificate generation | net8.0+ |
| File-based certificate store | DirectoryCertificateStore |
| Certificate validation (expiry, trust) | CertificateValidator |
| Custom validation callback | WithCertificateValidationCallback() |
Key Derivation
- RSA policies — P_SHA1/P_SHA256 (RFC 5246)
- ECC policies — HKDF-based key derivation
- Symmetric keys — SigningKey, EncryptingKey, InitializationVector derived from nonces